--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package docker.io/20.10.5+dfsg1-1+deb11u2
- From: Felix Geyer <fgeyer@debian.org>
- Date: Mon, 30 May 2022 21:04:32 +0200
- Message-id: <68785960-0506-dd3c-4951-47dfc9fa6c66@debian.org>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Docker uses containerd to manage containers but fails to setup the proper
dependencies in the systemd service.
https://bugs.debian.org/989490
[ Impact ]
On system shutdown Docker often is unable to properly shutdown containers
and just hangs. This delays shutdown until it reaches the timeout
(by default 90s).
[ Tests ]
I have been running these changes on a few hosts for a month and haven't
had any problems regarding start/shutdown since.
[ Risks ]
The changes only touch the systemd service and have been backported from
current upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Order docker.service after containerd.service
* Explicitly pass the containerd socket path to dockerd to make sure it
doesn't start containerd on its own.
diff -Nru docker.io-20.10.5+dfsg1/debian/changelog docker.io-20.10.5+dfsg1/debian/changelog
--- docker.io-20.10.5+dfsg1/debian/changelog 2021-12-04 11:53:03.000000000 +0100
+++ docker.io-20.10.5+dfsg1/debian/changelog 2022-05-30 20:34:49.000000000 +0200
@@ -1,3 +1,12 @@
+docker.io (20.10.5+dfsg1-1+deb11u2) bullseye; urgency=medium
+
+ * Order docker.service after containerd.service to fix shutdown of
+ containers (Closes: #989490)
+ * Explicitly pass the containerd socket path to dockerd to make sure it
+ doesn't start containerd on its own.
+
+ -- Felix Geyer <fgeyer@debian.org> Mon, 30 May 2022 20:34:49 +0200
+
docker.io (20.10.5+dfsg1-1+deb11u1) bullseye; urgency=medium
* Backport patches for CVE-2021-41089 CVE-2021-41091 CVE-2021-41092
diff -Nru docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch
--- docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch 1970-01-01 01:00:00.000000000 +0100
+++ docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch 2022-05-30 20:09:40.000000000 +0200
@@ -0,0 +1,28 @@
+Description: Order docker.service after containerd.service
+ Fixes proper shutdown of containers.
+Origin: upstream, cherry-picked parts of https://github.com/moby/moby/pull/42373
+ and https://github.com/moby/moby/pull/42622
+Bug-Debian: https://bugs.debian.org/989490
+
+--- docker.io-20.10.11+dfsg1.orig/engine/contrib/init/systemd/docker.service
++++ docker.io-20.10.11+dfsg1/engine/contrib/init/systemd/docker.service
+@@ -1,8 +1,8 @@
+ [Unit]
+ Description=Docker Application Container Engine
+ Documentation=https://docs.docker.com
+-After=network-online.target docker.socket firewalld.service
+-Wants=network-online.target
++After=network-online.target docker.socket firewalld.service containerd.service
++Wants=network-online.target containerd.service
+ Requires=docker.socket
+
+ [Service]
+@@ -11,7 +11,7 @@ Type=notify
+ # exists and systemd currently does not support the cgroup feature set required
+ # for containers run by docker
+ EnvironmentFile=-/etc/default/docker
+-ExecStart=/usr/sbin/dockerd -H fd:// $DOCKER_OPTS
++ExecStart=/usr/sbin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $DOCKER_OPTS
+ ExecReload=/bin/kill -s HUP $MAINPID
+ LimitNOFILE=1048576
+ # Having non-zero Limit*s causes performance problems due to accounting overhead
diff -Nru docker.io-20.10.5+dfsg1/debian/patches/series docker.io-20.10.5+dfsg1/debian/patches/series
--- docker.io-20.10.5+dfsg1/debian/patches/series 2021-12-04 11:53:03.000000000 +0100
+++ docker.io-20.10.5+dfsg1/debian/patches/series 2022-05-30 20:10:09.000000000 +0200
@@ -11,6 +11,7 @@
cli-dont-duplicate-authconfig.patch
engine-add-go.mod-file.patch
+engine-systemd-service-after-containerd.patch
libnetwork-add-go.mod-file.patch
libnetwork_proto.patch
--- End Message ---